A desktop "secrets" API

By Jake Edge
July 29, 2009

There is often a fair amount of secret information that a Linux user might store on their computer—things like passwords for sensitive sites, private ssh keys, and Swiss bank account numbers. If multiple applications, typically desktop applications, need to access that information, there are solutions in the form of GNOME Keyring and KDE Wallet, but those solutions are only available to applications written for those specific desktop environments. A new freedesktop.org initiative, started by the developers of those two solutions, aims to create a "Secrets API" that can be used across desktop environments so that users can have access to their secrets from any application, regardless of which desktop it comes from.

The project was announced by KDE Wallet developer Michael Leupold on the XDG mailing list (as well as on his blog). The basic idea is fairly straightforward: users will still run Keyring or Wallet as part of their login session—which will depend on the desktop they use—but there will be an API that allows applications to extract these secrets without caring which secret storage program is providing them.

Not surprisingly, given that it is a cross-desktop API, D-Bus will be used to implement a protocol for extracting the needed secrets. Applications will then use the new API so that they are insulated from the underlying secret storage service. In his blog posting, Leupold notes that he will be trying to provide backward compatibility: "While I expect a new client-side API (which I imagine to be more OO style than KWallet::Wallet), I'll keep an eye on providing something the current class can wrap so even applications using the old API will be able to use the new system." It seems likely that Stef Walter, the Keyring developer, will do something similar for GNOME applications.

In the Secrets API, secrets are just arrays of bytes that get transferred, possibly encrypted, between the application and the storage facility. Each secret is associated with a simple dictionary (i.e. set of name, value pairs) called "lookup attributes", which are to be used to find the secret. In addition, secrets have a label and properties associated with them. Secrets can then be grouped into "collections", which more or less correspond to today's keyrings or wallets.

Items and collections can be locked, such that an unlocking process needs to happen before they can be accessed. In practice, that would generally mean that the user was prompted for a password before the item or collection could be retrieved by the application.

Clients can negotiate encryption of the secret information as it is transferred to or from the storage service. While that may seem like a good idea overall, the API documentation comes with some fairly strong caveats:

The encryption is not envisioned to withstand man in the middle attacks, or other active attacks. It is envisioned to minimize storage of plain text secrets in memory and prevent plain text storage of secrets in a swap file or other caching mechanism.

Many client applications may choose not to make use of the provisions to encrypt secrets in transit. In fact for applications unable to prevent their own memory from being paged to disk (eg: Java, C# or Python apps), [transferring] encrypted secrets would be an [exercise] of questionable value.

There are more details, of course, and the API specification is being discussed and revised on the freedesktop.org Authentication mailing list. In addition, there is discussion of higher-level topics on the list, such as how browsers will identify their secrets so that moving between browsers, while still being able to use the password information stored for the user, is easy. As Leupold notes that is one of the most likely scenarios for users needing the Secrets API.

With this API in place, GNOME users could use Konqueror and still have access to their passwords, and the same goes for KDE users and Epiphany. As Leupold points out in his blog posting, though, Mozilla has not shown any interest, at least yet. Integrating with the Linux desktop has not really ever been a priority for Mozilla, so one might expect Firefox, et al. to lag in this area.

Even for those not running one of the "big two" desktop environments, a suitably configured system—with D-Bus and one of the secret storage services enabled—could take advantage of the Secrets API. Interoperability between desktop environments is a good thing, and not having to store passwords somewhere external, so that one can "browser hop" can only be a good thing as well. As it matures, other applications needing to store secrets will presumably use it too. Having a single, hopefully well-vetted, location for storing this kind of information—encrypted and password-protected—may also lead to better security for users.

Index entries for this article
Security	Desktop

to post comments

A desktop "secrets" API

Posted Jul 30, 2009 4:00 UTC (Thu) by thedevil (guest, #32913) [Link] (3 responses)

"regardless of which desktop it comes from"

How about "None"? Why exactly is it the business of _desktop environments_ (basically suites of programs with the same graphical user interface style) to define an API for this purpose?

Why? Becasuse they can and already do!

Posted Jul 30, 2009 5:01 UTC (Thu) by xoddam (subscriber, #2322) [Link] (1 responses)

KDE and Gnome already provide implementations with their own APIs, to be shared amongst their various applications. Mozilla has another, but I don't know if separate instances of Firefox and Thunderbird run by the same user can actually share the secret store between them. Every mail client and most browsers will store authentication credentials for you if you so desire. Putty and network-manager do too. Ssh provides a forwarding agent for sharing credentials across machines. We used to have to put our dialup or PPPoE credentials in plaintext in a 'secrets' file under /etc/ppp.

The problem that a new unified secrets API is proposed to solve is not the absence of a keeping place for secrets or an API for that keeping place, it is the incompatibility of the existing implementations: to date, there is no way to share your secrets among the programs you run, you have to copy them about manually. The exceptions are that you *can* share them amongst GNOME applications and, separately, amongst KDE applications.

See also 'monkeysphere', recently announced, which tries to solve a similar problem (in a completely different way).

http://web.monkeysphere.info/

Why? Becasuse they can and already do!

Posted Aug 10, 2009 12:09 UTC (Mon) by gerv (guest, #3376) [Link]

Different Mozilla applications do not currently share a secrets store.

Gerv

A desktop "secrets" API

Posted Aug 3, 2009 11:49 UTC (Mon) by Klavs (guest, #10563) [Link]

Well - if using dbus - you could use mdbus in a script - or dbus can be used from cli tools as well - so it shouldn't have to be desktop centric - or perhaps I'm missing something :)

A desktop "secrets" API

Posted Jul 30, 2009 7:07 UTC (Thu) by johill (subscriber, #25196) [Link]

Yay. Then somebody only needs to make a daemon that accesses the OSX password store too, on this API, to make things rock there too :)

A desktop "secrets" API

Posted Jul 30, 2009 7:09 UTC (Thu) by johill (subscriber, #25196) [Link] (1 responses)

Incidentally, I think over time such an API should be extended to make it possible to have the secret never leave the daemon.

So, for example, if you want to sign an email, all the information necessary to sign is transferred to the daemon, not the key information from it -- the latter might not even be possible once you factor in smartcards etc.

Of course, that's somewhat out of scope for a 'secrets API' but I believe that it should be integrated eventually for more pervasive crypto.

A desktop "secrets" API

Posted Jul 30, 2009 22:36 UTC (Thu) by martinfick (subscriber, #4455) [Link]

Agreed, and I do not think that this is out of the scope of such an API, but rather it seems essential, if not, what's the point? This is a place where free software could take a major lead if this is implemented!

For systems without smartcards, we should have "smart user accounts". The API would actually contact a daemon running as another user for me, the "smart user account" which has access to my secrets. My ordinary user account which my apps run as should never be able to access my secrets. This user would only be accessible by me (not a shared 'root' system daemon) and would use my secrets to do things on behalf of the API, authenticate logins, sign documents, encrypt things, but it would not reveal my secrets. A little bit like the user security model from android.

Naturally, as currently, the API could additionnaly be configured to still require pass phrases or other authentication means to access the API, but this should be more granular than the simple all or nothing model of say Firefox. For low security web sites why should I be prompted for a passphrase simply because I want my bank to be passphraseable to the API?

A desktop "secrets" API

Posted Jul 30, 2009 7:35 UTC (Thu) by ptman (subscriber, #57271) [Link] (1 responses)

I was hoping we would have something grander, like Plan9 has: http://plan9.bell-labs.com/sys/doc/auth.html

A desktop "secrets" API

Posted Jul 30, 2009 12:56 UTC (Thu) by jond (subscriber, #37669) [Link]

maybe the secrets API taskforce folks aren't aware of this - has anyone pointed it out to them?

The no encyption caveat?

Posted Jul 30, 2009 11:24 UTC (Thu) by alex (subscriber, #1355) [Link] (1 responses)

Is that possible, surely on a multi-user system you don't want people listening to the dbus connection and sniffing your secrets? I assume this information is going across the session bus rather than the system bus but it presents a very tempting attack target.

I take the point that any client storing secrets that can't lock pages in RAM is also exploitable but how about some sort of defense in depth?

The no encyption caveat?

Posted Jul 30, 2009 19:17 UTC (Thu) by rvfh (guest, #31018) [Link]

I think that it's called dbus by analogy with hardware buses, but it's probably just a bunch of shared memory, so there is in fact no bus to sniff, unless you have the right permissions (which I expect to be kinda -rw-------).

Correct me if I'm mistaken... which I might well be!

A desktop "secrets" API

Posted Jul 31, 2009 20:31 UTC (Fri) by dps (guest, #5725) [Link] (1 responses)

Given the need for secrets in other contexts, like private keys in NIS+ and the server side of SSL, I am unsure that the desktop is the right place for this sort of functionality.

I would instead propose that some form of kernel secret storage, which also has the advantage of being immune to things like ptrace(2). Given some mm work it might be possible to mark pages as sensitive and never allow direct user space any access to sensitive pages.

The user space API could be a sepccial file system with more security features. Implementing an OO style API in terms of such a file system should not be rocket science.

There is already an (expensive) version of this available now and it is called a hardware security module. At least one vendor supports Linux.

A desktop "secrets" API

Posted Jul 31, 2009 20:58 UTC (Fri) by johill (subscriber, #25196) [Link]

There already is a kernel key storage. However, I don't agree that it's always the best thing to do -- things like smartcards don't really have or need kernel drivers. And I wouldn't think a secrets API implementation needs to be part of a desktop either.

A desktop "secrets" API

Posted Aug 6, 2009 18:29 UTC (Thu) by quintile (guest, #60088) [Link]

plan9 has had something similar.
secstore - which holds your secrets as a text file and is unlocked by a single password, and
factotum - which serves secrets if necessary, or keeps them hidden if challange/respose auth is
used. If this is of interest more details here http://plan9.bell-labs.com/sys/doc/auth.pdf

-Steve